MessageIdVersionQualifiersLevelTaskOpcodeKeywordsRecordIdProviderNameProviderIdLogNameProcessIdThreadIdMachineNameUserIdTimeCreatedActivityIdRelatedActivityIdContainerLogMatchedQueryIdsBookmarkLevelDisplayNameOpcodeDisplayNameTaskDisplayNameKeywordsDisplayNamesProperties
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:37:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:37:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x20C16 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x618 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481617628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:37:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 98aa1e51-e5ba-4e1a-9f69-b103d6d519bb Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481617627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:37:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 98aa1e51-e5ba-4e1a-9f69-b103d6d519bb Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1954eb1a3454511836281a6d07ec4652_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481617626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:37:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E5D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71AAD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71AAD7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71AAD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x718641 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x718641 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54808 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:39 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x718641 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:36:39 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7125A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7125A7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7125A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70F2E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70F2E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70F2E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E48D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E5D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E5D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E57C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E57C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E57C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E533 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E533 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E533 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E48D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736906635-1230817581-1419948476-359654833 Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70E48D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6787178B-C92D-495C-BCB1-A254B1E56F15 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:35:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x70BAC6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:34:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x70BAC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54795 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:34:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x70BAC6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:34:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x705AAB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:32:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x705AAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54782 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:32:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x705AAB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:32:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F26F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:31:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6FAB82 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:30:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6FAB82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54767 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:30:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6FAB82 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:30:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F839C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:30:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F839C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:30:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F839C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:30:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:30:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F4FDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F4FDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F4FDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F259D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F26F8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F26F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F269F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F269F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F269F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2655 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2655 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2655 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F259D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2664945284-1308692176-956721580-3601323974 Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F259D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9ED7D684-0ED0-4E01-AC69-0639C6D7A7D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:29:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6ED24B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:28:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6ED24B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54756 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:28:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6ED24B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:28:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6E7074 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:26:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6E7074 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54747 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:26:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6E7074 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:26:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D84BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:25:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6D7F60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD3BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD3BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD3BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D91B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D91B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D91B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8372 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D84BA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D84BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8461 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8461 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8461 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8418 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8418 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8418 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8372 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1688189919-1251616332-282473894-4050763957 Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8372 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 649FBBDF-264C-4A9A-A635-D610B5C071F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6D7F60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54732 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6D7F60 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:24:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6D1466 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:22:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6D1466 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54703 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:22:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6D1466 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:22:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF723 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:21:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6C257D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C3705 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C3705 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C3705 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6C257D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54690 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6C257D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C04AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C04AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C04AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF5DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF723 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF723 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF6CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF6CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF6CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF681 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF681 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF681 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF5DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2653472300-1257766544-3170627477-1118579590 Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BF5DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9E28C62C-FE90-4AF7-95EF-FBBC862BAC42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:20:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6B8AFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:18:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6B8AFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54680 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:18:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6B8AFF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204352n-h2-830646-22.cbci-830646-22.local8/27/2022 7:18:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A92BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:17:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD380 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD380 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD380 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6A6E49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AA03D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AA03D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AA03D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9173 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A92BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A92BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9262 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9262 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9262 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9219 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9219 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9219 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9173 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2157994839-1257634748-3365080240-2113167540 Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A9173 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 80A06357-FBBC-4AF5-B00C-93C8B460F47D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6A6E49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54659 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6A6E49 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:16:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6A1BCB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:14:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6A1BCB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54640 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:14:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6A1BCB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:14:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686B8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:13:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x694D9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:12:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x694D9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54631 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:12:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x694D9F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:12:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F1D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F1D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F1D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68BC3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68BC3C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68BC3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6878C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6878C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6878C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6869CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686B8B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686B8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686B32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686B32 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686B32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686AE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686AE9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686AE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6869CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2641098082-1203459344-2167491730-2517054056 Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6869CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D6BF562-5510-47BB-924C-318168320796 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:11:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6841D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:10:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6841D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54615 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:10:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6841D6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:10:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x67E214 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:08:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x67E214 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54608 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:08:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x67E214 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:08:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6739D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669D09 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6739D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54592 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6739D9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x671078 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x671078 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x671078 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66DA61 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66DA61 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66DA61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:06:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AA17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AA17 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AA17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669BC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669D09 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669D09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669CB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669CB0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669CB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669C67 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669C67 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669C67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669BC1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1643925132-1270668559-2006464645-1513371511 Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669BC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FC4E8C-DD0F-4BBC-8538-98777737345A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6649A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:04:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x6649A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54552 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6649A1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657125 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65BE6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65BE6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65BE6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657EB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657EB0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657EB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x656FDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657125 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657125 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6570CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6570CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6570CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657083 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657083 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x657083 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x656FDD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-152143283-1265777978-1668105605-2501765443 Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x656FDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 091185B3-3D3A-4B72-8545-6D6343E91D95 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 7:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x64E7A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x647593 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x64E7A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x64E7A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64D52E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64D52E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64D52E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C233 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C233 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C233 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x648CAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x648CAF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x648CAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647E55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F44 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647EFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647EFB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647EFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647E55 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3660188501-1172122671-3814597029-1359266724 Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647E55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA2A0B55-2C2F-45DD-A521-5EE3A4C30451 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54523 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54522 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54521 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x6475E2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x647593 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54520 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x647593 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 7:02:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AB00 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x63A3A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63C9B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63C9B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63C9B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63B7D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63B7D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63B7D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A9B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AB00 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AB00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AAA7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AAA7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AAA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AA5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AA5E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AA5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A9B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1776990198-1190108980-1897597111-3922563935 Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A9B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69EAB7F6-9F34-46EF-B708-1B715F93CDE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x63A3A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54503 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x63A3A3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DD23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 7:00:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x631D01 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x631D01 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x631D01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EA25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EA25 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EA25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DBDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DD23 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DD23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DCCA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DCCA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DCCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DC81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DC81 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DC81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DBDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3549555905-1337710050-887830683-1159367619 Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DBDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D391ECC1-D5E2-4FBB-9B38-EB34C38B1A45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DE8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:59:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x624C89 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x624C89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54479 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x624C89 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x622055 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x622055 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x622055 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61EBFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61EBFA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61EBFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DD3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DE8B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DE8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DE2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DE2E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DE2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DDE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DDE5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DDE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DD3F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2915522534-1290420964-3523154322-3114472369 Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DD3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADC757E6-42E4-4CEA-9211-FFD1B113A3B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:58:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FC4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:57:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613DC7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613DC7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613DC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6109CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6109CE Privileges: SeImpersonatePrivilege467200125480-921436483760003481617243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6109CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FB02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FC4A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FC4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FBF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FBF1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FBF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FBA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FBA8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FBA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FB02 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-163453699-1110117404-1310331267-4173615018 Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FB02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09BE1B03-0C1C-422B-8311-1A4EAA4FC4F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x60E1AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x60E1AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54465 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x60E1AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6018BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:56:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605653 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605653 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605653 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602592 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602592 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602592 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6016FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6018BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6018BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601862 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601862 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601862 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601819 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601819 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601819 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6016FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1601597235-1301940030-2296990359-1872171767 Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6016FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F766F33-073E-4D9A-974A-E988F712976F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F746B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F940F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F940F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F940F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F81FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F81FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F81FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7323 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F746B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F746B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7412 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7412 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7412 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F73C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F73C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F73C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7323 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3504316702-1274366771-14607504-2238306130 Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7323 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0DFA11E-4B33-4BF5-90E4-DE0052D76985 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F59 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54447 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F56 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54449 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F59 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54448 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F57 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54446 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F6F1B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F498F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA8F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x5F498F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54435 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5F498F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB002 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ECF95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ECF95 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ECF95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EBD82 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EBD82 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EBD82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAEBA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB002 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB002 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAFA9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAFA9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAFA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAF60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAF60 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAF60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAEBA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-990623259-1207765950-459240616-1975288453 Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAEBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B0BB61B-0BBE-47FD-A874-5F1B8582BC75 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA944 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA956 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA944 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54426 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA944 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA956 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54427 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA956 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA942 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA942 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54425 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA942 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA8F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54424 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5EA8F2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:54:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD81B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5E1C89 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x5E1C89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54410 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5E1C89 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5DB5ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:50:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x5DB5ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54403 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:50:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5DB5ED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:50:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5D5337 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:48:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x5D5337 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54394 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:48:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5D5337 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:48:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D18B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D18B9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D18B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CE523 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CE523 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CE523 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD6CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD81B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD81B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD7C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD7C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD7C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD779 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD779 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD779 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD6CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2589563327-1244644422-552883132-2546103358 Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD6CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A5999BF-C446-4A2F-BC53-F4203E74C297 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:47:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553E36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:46:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5C1954 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:46:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x576702 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:46:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x5C1954 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54384 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:46:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5C1954 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:46:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5AD82F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:45:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FD1E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:45:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4491 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4491 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4491 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x5AD82F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54357 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5AD82F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x59B740 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BAEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59F4F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59F4F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59F4F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C8B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C8B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C8B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59B99F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BAEA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BAEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BA91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BA91 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BA91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BA48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BA48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59BA48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59B99F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-843948463-1215066712-2279492539-4033527757 Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59B99F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 324DA1AF-7258-486C-BB4B-DE87CDBF6AF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x59B740 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54352 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x59B740 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x595775 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x595775 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x595775 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x590AE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x590AE5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x590AE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FBD6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FD1E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FD1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FCC5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FCC5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FCC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FC7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FC7C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FC7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FBD6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874428980-1098812508-13762995-4168377102 Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FBD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB544E34-8C5C-417E-B301-D2000E6374F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:44:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x585954 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x585954 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x585954 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x582685 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x582685 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x582685 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5765A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x576702 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x576702 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5766A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5766A9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5766A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57665F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57665F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57665F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5765A6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1970811850-1321931191-4107502516-3924299177 Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5765A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 757833CA-11B7-4ECB-B483-D3F4A90DE8E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:43:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56A9EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AFC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56D008 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56D008 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56D008 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56BDA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56BDA8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56BDA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AE81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AFC9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AFC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AF70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AF70 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AF70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AF27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AF27 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AF27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AE81 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244923199-1181125254-269491102-2312438652 Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AE81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD04633F-8A86-4666-9E1B-10107C03D589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA36 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54321 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203748n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54320 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA36 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54319 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56AA35 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56A9EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54318 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56A9EE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56923A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x56923A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54317 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x56923A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:42:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B14D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:41:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AA7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D1CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D1CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D1CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55BF0A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55BF0A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55BF0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B002 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B14D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B14D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B0F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B0F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B0F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B0A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B0A7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B0A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B002 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4133446278-1074825868-3737622952-3513858068 Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B002 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F65F6286-8A8C-4010-A899-C7DE143871D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AB13 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AADA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AADA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54303 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AADA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AB13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54304 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AB13 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AAD2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AAD2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54302 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AAD2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AA7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 54301 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55AA7F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55915F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55915F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55915F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55314A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555D3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555D3A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555D3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553CDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553E36 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553E36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553DDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553DDD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553DDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553D93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553D93 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553D93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553CDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3040530297-1231834710-4236824724-2671568460 Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553CDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B53ACF79-4E56-496C-94D0-88FC4CE63C9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x55314A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54300 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x55314A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:40:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CCB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:39:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x547D97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:38:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x547D97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54287 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:38:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x547D97 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:38:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5431A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:37:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5431A4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:37:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5431A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:37:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:37:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53FE93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53FE93 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53FE93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CB50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CCB1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CCB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CC58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CC58 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CC58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CC0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CC0E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CC0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CB50 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-542985060-1126354191-2491672985-9773806 Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CB50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 205D4B64-CD0F-4322-99E9-8394EE229500 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x53A84C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x53A84C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54254 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x53A84C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:36:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5286A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x531B0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x531B0E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x531B0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD57 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520B10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5284CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5286A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5286A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528648 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528648 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528648 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5285FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5285FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5285FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5284CB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-237847737-1120270516-3872785818-3992448360 Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5284CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E2D44B9-F8B4-42C5-9A05-D6E668EDF7ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:35:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524B44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524B44 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524B44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x521896 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x521896 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x521896 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5209C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520B10 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520B10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520AB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520AB7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520AB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520A6E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520A6E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520A6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5209C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410580755-1175287230-1060290980-377768209 Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5209C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB495513-75BE-460D-A4C1-323F11498416 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x51F185 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x51F185 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54216 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:08 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x51F185 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:34:08 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5184FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:32:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x5184FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54202 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:32:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x5184FC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:32:07 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B7EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510E79 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510E79 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510E79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50D8B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50D8B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50D8B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B694 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B7EF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B7EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B796 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B796 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B74C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B74C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B74C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B694 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1625282925-1281988742-713708985-2262915517 Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50B694 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60DFD96D-9886-4C69-B955-8A2ABD59E186 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:31:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x506D16 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:30:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x506D16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54176 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:30:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x506D16 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:30:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EDB3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:29:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4FA908 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:28:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4FA908 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54136 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:28:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4FA908 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:28:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F70B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:27:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F70B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:27:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F70B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:27:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:27:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F2F0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F2F0F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F2F0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EEA14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EEA14 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EEA14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ED92A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EDB3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EDB3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EDA1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EDA1B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EDA1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ED9D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ED9D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ED9D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ED92A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1261475612-1314667121-4147798444-1303512965 Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ED92A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B30971C-3A71-4E5C-AC61-3AF78507B24D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4EB6F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4EB6F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54114 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4EB6F3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:26:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD2B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E136E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E136E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E136E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE03B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE03B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE03B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD171 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD2B9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD2B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD260 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD260 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD260 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD217 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD217 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD217 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD171 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3766095560-1330249705-284579992-2263498217 Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD171 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E07A0EC8-FFE9-4F49-9858-F610E93DEA86 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4DB8C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4DB8C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54096 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4DB8C2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:24:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0B46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D30F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D30F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D30F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D18C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D18C5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D18C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D09FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0B46 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0B46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0AED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0AED Privileges: SeImpersonatePrivilege467200125480-921436483760003481616715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0AED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0AA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0AA4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0AA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D09FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-24950583-1284905987-2141464206-2759853288 Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D09FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 017CB737-1C03-4C96-8E26-A47FE80480A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:23:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4CC801 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:22:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4CC801 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54077 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:22:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4CC801 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:22:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFFF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C41CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C41CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C41CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0CC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0CC8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0CC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFEB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFFF7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFFF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFF9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFF9E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFF9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFF55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFF55 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFF55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFEB0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3022693995-1095201399-2553090196-695472592 Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BFEB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B42AA66B-7277-4147-9410-2D98D0117429 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:21:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8062 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BA5B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BA5B2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BA5B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8D39 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8D39 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8D39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B7EA3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8062 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8062 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8009 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8009 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B8009 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B7FC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B7FC0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B7FC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B7EA3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3703244890-1092014909-3808806550-2275429910 Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B7EA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCBB085A-D33D-4116-96C6-05E3164EA087 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE4FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4AD2E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B09DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B09DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B09DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AF205 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AF205 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AF205 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE3B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE4FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE4FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE4A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE4A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE4A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE45A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE45A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE45A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE3B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037477164-1277113533-484523448-1709321815 Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE3B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79716F2C-34BD-4C1F-B83D-E11C572EE265 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4AD2E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54050 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4AD2E5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:20:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0DFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A51B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A51B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A51B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1B04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1B04 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1B04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0CAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0DFA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0DFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0DA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0DA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0DA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0D58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0D58 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0D58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0CAE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-210356532-1289080646-2673989541-2992605823 Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0CAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C89C934-CF46-4CD5-A5D7-619F7F8A5FB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:19:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5C4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:18:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4919F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:18:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426DD0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:18:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473022 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:18:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4919F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 54021 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:18:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x4919F2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:18:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B676 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:17:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x485FD8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:17:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x485FD8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:17:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x485FD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:17:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 6:17:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x472AD8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48089A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48089A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48089A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47C3F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47C3F2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47C3F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B52B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B676 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B676 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B619 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B619 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B619 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B5D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B5D0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B5D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B52B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2527725471-1342037197-2430388405-5723350 Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B52B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96AA079F-DCCD-4FFD-B5C8-DC90D6545700 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x477044 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x477044 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x477044 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473D98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473D98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473D98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472EDA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473022 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473022 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472FC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472FC9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472FC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472F80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472F80 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472F80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472EDA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340252822-1117037643-73295524-2680596491 Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x472EDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B7D6C96-A44B-4294-A466-5E040BA8C69F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:16:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x472AD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53993 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:15:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x472AD8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:15:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x42CF5F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:15:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433EDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:15:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437FFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437FFE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437FFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434D46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434D46 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434D46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433D94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433EDC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433EDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433E83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433E83 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433E83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433E3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433E3A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433E3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433D94 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1769323455-1157698482-3043807670-912024535 Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433D94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6975BBBF-13B2-4501-B6D1-6CB5D7635C36 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:14:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x42CF5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53938 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x42CF5F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AEB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AEB0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AEB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x427AFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x427AFA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x427AFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426C80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426DD0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426DD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426D6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426D6F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426D6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426D26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426D26 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426D26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426C80 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3479232880-1308558688-3637326010-2045601624 Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x426C80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF60E170-0560-4DFF-BA30-CDD85867ED79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413E7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:08 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4121FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41B60C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41B60C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41B60C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x418FAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x418FAB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x418FAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:13:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414BFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414BFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414BFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413CC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413E7C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413E7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413DB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413DB2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413DB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413D69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413D69 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413D69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413CC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3046123406-1282304736-851760533-431994019 Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x413CC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B590278E-6AE0-4C6E-95D5-C432A3B4BF19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x412F57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x412F57 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x412F57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41207C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4121FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4121FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41216A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41216A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41216A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x412121 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x412121 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x412121 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41207C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221871965-1136215042-3300202422-2556157741 Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41207C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48D4495D-4402-43B9-B617-B5C42DDF5B98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FEA25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x409BFD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x409BFD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x409BFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2C4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4039A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4039A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4039A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3FC8BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF88D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF88D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF88D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE8D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FEA25 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FEA25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE9CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE9CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE9CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE97F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE97F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE97F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE8D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1166706364-1075047250-116551562-2657202283 Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FE8D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 458A86BC-EB52-4013-8A6F-F2066BB0619E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:12:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD678 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD678 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD678 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x3FC8BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53897 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3FC8BA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9710 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F7847 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F7847 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F7847 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F39CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F39CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F39CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2B08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2C4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2C4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2BF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2BF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2BF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2BAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2BAD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2BAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2B08 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3437326808-1075179940-2306806419-848054560 Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2B08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCE171D8-F1A4-4015-9312-7F8920498C32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F1832 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F1832 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F1832 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED8F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED8F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED8F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EA451 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EA451 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EA451 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E95C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9710 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9710 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E96B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E96B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E96B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E966E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E966E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E966E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E95C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3498283417-1120695375-3730981531-532715940 Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E95C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0839199-744F-42CC-9B42-62DEA499C01F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:11:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7472 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7472 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7472 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3DD725 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD1EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E17B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E17B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E17B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:10:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x3DD725 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53840 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3DD725 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D9BCA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D9BCA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D9BCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D6957 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D6957 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D6957 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5B02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5C4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5C4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5BF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5BF4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5BF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5BA7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5BA7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5BA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5B02 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-573105837-1122883641-1239351456-3317256590 Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5B02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2228E6AD-D839-42ED-A000-DF498E51B9C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3C1574 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:09:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1269 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1269 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1269 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CDEEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CDEEA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CDEEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD0A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD1EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD1EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD193 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD193 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD193 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD14A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD14A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD14A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD0A4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3447095579-1274635008-1012935309-1748061346 Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CD0A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD76811B-6300-4BF9-8D2A-603CA24C3168 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DD8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:08:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB4B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x3C1574 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53770 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3C1574 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF3B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF3B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF3B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC1CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC1CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC1CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB36F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB4B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB4B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB45E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB45E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB45E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB415 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB415 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB415 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB36F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3050596704-1120903599-1410043553-3452602128 Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB36F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5D46960-A1AF-42CF-A18E-0B541087CACD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5074 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38790A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AD25C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AD25C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AD25C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AAD4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AAD4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AAD4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AA1F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AA1F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AA1F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5DC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5DC1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5DC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4EB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5074 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5074 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4FA2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4FA2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4FA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4F59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4F59 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4F59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4EB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1897229226-1119474793-3848237501-181774335 Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A4EB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71156BAA-D469-42B9-BD71-5FE5FFA7D50A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A3A99 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A3A99 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A3A99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A2761 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A2761 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A2761 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1F79 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1F79 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1F79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DFA03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:07:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A443 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380C6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x395BF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x395BF7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x395BF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D791 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D791 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D791 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3887C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3887C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3887C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3877C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38790A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38790A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3878B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3878B1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3878B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387868 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387868 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387868 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3877C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-201082620-1328933504-2706133898-3177340661 Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3877C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BFC46FC-EA80-4F35-8A53-4CA1F55E62BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3851D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3851D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3851D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3819D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3819D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3819D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380B26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380C6D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380C6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380C14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380C14 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380C14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380BCB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380BCB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380BCB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380B26 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-51567796-1252234382-621675181-2152404820 Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x380B26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0312DCB4-948E-4AA3-AD02-0E2554174B80 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:22 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F3DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F3DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F3DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37B203 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37B203 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37B203 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A2F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A443 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A443 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A3E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A3E8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A3E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A39F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A39F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A39F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A2F6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3814821642-1246775338-764227486-3646706872 Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A2F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3618F0A-482A-4A50-9E2F-8D2DB8545CD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x370390 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331A0B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374187 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374187 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374187 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:06:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371F96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371F96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371F96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x370390 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53681 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x370390 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36EBF5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36EBF5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36EBF5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DC44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DD8B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DD8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DD32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DD32 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DD32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DCE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DCE9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DCE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DC44 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2318774851-1191068873-504805039-3975539037 Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DC44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A35B243-44C9-46FE-AFB6-161E5DE9F5EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362FEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x367700 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x367700 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x367700 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x363F25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x363F25 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x363F25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362DF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362FEB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362FEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362EE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362EE9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362EE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362E9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362E9E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362E9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362DF7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136045036-1132621958-4238353073-3221331353 Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362DF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 081BE1EC-7086-4382-B122-A0FC999D01C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353A11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35886B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35886B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35886B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34932A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x354787 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x354787 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x354787 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:05:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35389F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353A11 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353A11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3539B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3539B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3539B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35395F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35395F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35395F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35389F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2329159546-1338004481-4079855033-3302290808 Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35389F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AD4277A-5401-4FC0-B9A5-2DF378F5D4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D2BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D2BF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D2BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A165 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A165 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A165 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3491D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34932A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34932A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3492D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3492D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3492D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x349288 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x349288 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x349288 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3491D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985853220-1312026237-3888475558-644471865 Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3491D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AC2ED24-EE7D-4E33-A66D-C5E739DC6926 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3135C4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B853A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B67D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D272 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D272 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D272 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2F79 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32474D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x332F74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x332F74 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x332F74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331655 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331A0B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331A0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331770 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331770 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331770 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331714 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331714 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331714 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331655 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181954162-1107939676-4205247894-1446876896 Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x331655 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 820DFA72-D15C-4209-96FD-A6FAE0963D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EEF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EEF7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EEF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3DE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3255CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3255CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3255CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x324601 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32474D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32474D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3246F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3246F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3246F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3246A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3246A7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3246A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x324601 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808868000-1282343494-782461879-2789212340 Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x324601 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 303658A0-0246-4C6F-B76B-A32EB40040A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC431 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304BA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319154 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319154 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319154 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:04:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3082A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x3135C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53546 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x3135C4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x311C23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x311C23 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x311C23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B0DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B0DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B0DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3091F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3091F8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:39 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3091F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:39 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:39 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30815A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3082A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3082A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x308248 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x308248 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x308248 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3081FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3081FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3081FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30815A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342288051-1154966703-1156323512-1392526133 Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30815A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1466E6B3-64AF-44D7-B818-EC4435430053 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3059C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3059C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3059C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304A4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304BA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304BA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304B40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304B40 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304B40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304AF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304AF7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304AF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304A4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1737471988-1116203310-3423611013-3423783698 Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304A4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678FB7F4-E92E-4287-8528-10CC12CB12CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x302FDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x302FDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x302FDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD21D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD21D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD21D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC2BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC431 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC431 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC3D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC3D8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC3D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC38F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC38F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC38F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC2BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4265902636-1189037891-3709045393-3305681040 Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC2BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE44822C-4743-46DF-918A-13DD90B008C5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x2C5189 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB6D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5162 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5162 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5162 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:03:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F094D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F094D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F094D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EE2F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EE2F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EE2F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC55C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC55C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC55C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB58E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB6D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB6D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB67C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB67C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB67C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB633 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB633 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB633 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB58E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2176115605-1093997065-4026984579-4125831957 Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB58E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 81B4E395-1209-4135-83E8-06F01533EBF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB3BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E4D74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E4D74 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E4D74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3C9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3DE5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3DE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D8C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D43 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3C9E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329755997-1336398833-4061716147-3500787005 Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3C9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6780B5D-D3F1-4FA7-B3DE-18F23DC5A9D0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2564 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2564 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2564 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E084C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E084C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E084C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF8B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DFA03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DFA03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF9AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF9AA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF9AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF95D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF95D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF95D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF8B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1974707150-1102033844-1661971368-4225432128 Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DF8B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75B3A3CE-B3B4-41AF-A8AB-0F6340FADAFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC14B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC14B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC14B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB277 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB3BF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB3BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB366 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB366 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB366 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB31D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB31D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB31D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB277 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3597135717-1094229262-3706116481-1949790267 Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB277 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D667EF65-9D0E-4138-81D9-E6DC3B703774 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D720C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D720C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D720C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3CCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3CCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3CCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2E32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2F79 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2F79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2F20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2F20 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2F20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2ED7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2ED7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2ED7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2E32 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-484642106-1334677109-2393705145-3827414468 Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D2E32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CE30D3A-8E75-4F8D-B90A-AD8EC4B521E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFCB3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D43CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:02:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x2C5189 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53396 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x2C5189 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AD4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0404 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0404 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0404 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BDAD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BDAD7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BDAD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B9354 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B9354 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B9354 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B83EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B853A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B853A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B84DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B84DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B84DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8494 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8494 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8494 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B83EF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1738756796-1273229906-1325212548-1930228046 Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B83EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67A352BC-F252-4BE3-8423-FD4E4EF10C73 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B7568 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B7568 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B7568 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6605 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B67D8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B67D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B677F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B677F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B677F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6736 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6736 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6736 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6605 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1701222959-1154975081-1478642347-2350343547 Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6605 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65669A2F-8569-44D7-AB4A-22587B65178C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2951EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292928 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F68A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276FDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A4C0A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A4C0A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A4C0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29E1CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29E1CB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29E1CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29BB9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29BB9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29BB9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:01:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AADF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AD4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AD4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ACF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ACF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ACF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ACAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ACAD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ACAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AADF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-21724788-1321387573-2200864413-2048927811 Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AADF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 014B7E74-C635-4EC2-9D86-2E834328207A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299E1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299E1B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299E1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:59 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2961A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2961A2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2961A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294DB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2951EE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2951EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2950D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2950D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2950D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294F3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294F3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294F3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294DB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037549647-1228525802-1944797602-3471823606 Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294DB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79728A4F-D0EA-4939-A241-EB73F6D2EFCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2936F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2936F9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2936F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2927E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292928 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292928 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2928CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2928CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2928CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292886 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292886 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292886 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2927E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2622429653-1227152534-1206867102-2869880080 Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2927E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C4F19D5-DC96-4924-9E54-EF4710E50EAB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2848A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x27E771 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC1D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288D5C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288D5C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288D5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285670 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285670 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285670 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284761 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2848A9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2848A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284850 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284850 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284850 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284807 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284807 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284807 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284761 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2854775424-1093099768-1009840299-3058715468 Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284761 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA286A80-60F8-4127-ABF0-303C4C4B50B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D8FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 6:00:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC5D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC33 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FEC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FDC7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11B69A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x27E771 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53248 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x27E771 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147F4B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E46B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B41A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B41A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B41A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x277E30 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x277E30 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x277E30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276E96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276FDD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276FDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276F84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276F84 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276F84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276F3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276F3B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276F3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276E96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-702528535-1185129581-1579734191-1282537387 Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x276E96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29DFBC17-A46D-46A3-AFD4-285EABF7714C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2616B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F2A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F2A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F2A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DF48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DF48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DF48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2560CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24CCD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266BBB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266BBB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266BBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:10 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FA45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262640 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262640 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262640 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26156B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2616B2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2616B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x261659 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x261659 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x261659 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x261610 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x261610 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x261610 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26156B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3676406116-1298940146-3104720567-3224585845 Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26156B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB218164-40F2-4D6C-B746-0EB9754633C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2604D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2604D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2604D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F543 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F68A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F68A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F631 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F631 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F631 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F5E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F5E8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F5E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F543 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-464330438-1079889936-2400554408-1795100099 Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F543 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BAD1EC6-D010-405D-A88D-158FC30DFF6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x25046B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25E7AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25E7AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25E7AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D7B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D8FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D8FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D8A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D8A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D8A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D85C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D85C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D85C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D7B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1812270614-1225756965-54171068-1058539849 Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D7B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C050E16-9125-490F-BC95-3A034909183F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2273D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:59:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FFB4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2560CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2560CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x2512C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x2512C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x2512C9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x251057 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x251057 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x251057 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250E4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250E4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250E4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x25046B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9A52271C-037F-502A-1FDE-F34092406395} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x24FFD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FFD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9A52271C-037F-502A-1FDE-F34092406395} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FFB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FFB4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FEC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53250 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FEC8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FDC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53250 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FDC7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FC74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53249 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC74 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FC5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53249 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC5D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FC46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53249 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC46 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FC33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53249 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC33 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FC1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B85719B1-50A8-BABA-B4C7-48A7FBC5B92F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53248 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FC1D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FA7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FA8F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FAA4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FAA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53247 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FAA4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FA8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53246 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FA8F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FA7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53245 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FA7E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24FA45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24FA45 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24CC7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24CD4B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24CD4B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24CD4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24CCD5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2756600912-1079915068-3502637496-73418714 Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24CCD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A44E6450-323C-405E-B801-C6D0DA476004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x24CC7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {37B7FBC4-2B18-573D-4A6C-3BFA73DACB3A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h1-830646-22@CBCI-830646-22.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x24CC7E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x214BA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAA4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191A96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223D46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240D73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240D73 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240D73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22FBCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23B09D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23B09D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23B09D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239C06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239C06 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239C06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAB13 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAE7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAB4A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236028 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236028 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236028 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23335A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23335A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23335A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2315A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2315A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2315A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F5E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22FBCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22FBCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22FACE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22FACE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22FACE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F91B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F91B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F91B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F5E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1559921319-1175711406-314459796-3780761786 Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F5E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5CFA82A7-EEAE-4613-9446-BE12BAD859E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EEF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EEF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EEF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CC67 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CC67 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CC67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B83E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B83E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B83E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B000 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B000 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B000 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228C0B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228C0B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228C0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x226FB6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2273D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2273D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22711D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22711D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22711D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22705B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22705B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22705B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x226FB6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1742501798-1240840172-2213718932-3356429124 Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x226FB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 67DC77A6-B7EC-49F5-94AB-F283440B0FC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224BEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224BEB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224BEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223AF3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223D46 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223D46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223C0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223C0F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223C0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223B98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223B98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223B98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223AF3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1675277344-1179342418-3696488370-955351435 Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223AF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 63DAB420-5652-464B-B2EF-53DC8B81F138 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21797E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C127 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C127 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C127 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:58:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x218776 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x218776 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x218776 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:53 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x217837 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21797E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21797E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x217925 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x217925 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x217925 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2178DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2178DC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2178DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x217837 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1270951347-1092228372-2572359056-950472641 Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x217837 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BC12DB3-1514-411A-9015-5399C10FA738 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6F5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x214BA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F2DBABA7-740C-DE72-ECA8-9330E34E56B4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53065 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x214BA2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:50 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E511F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA90B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x201E5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F85B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x1FB348 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x209F5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x209F5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x209F5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207E55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207E55 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207E55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20682B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20682B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20682B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C83C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAEFD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x201E5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x201E5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:31 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FC087 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FC087 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FC087 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FBD7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FBD7E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FBD7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FBB3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FBB3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FBB3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FB348 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9A52271C-037F-502A-1FDE-F34092406395} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53061 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x1FAF1F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAF1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9A52271C-037F-502A-1FDE-F34092406395} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAEFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAEFD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAB4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53067 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAB4A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAB13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53066 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAB13 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAAFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53066 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAFE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAAE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53066 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAE7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAAD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53066 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAD6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FAAA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53065 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FAAA4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA9A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA9D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA9B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FA9D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53064 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA9D4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FA9B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53063 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA9B9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FA9A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53062 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA9A5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1FA90B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 53061 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1FA90B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1F856D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F8636 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F8636 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F8636 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F85B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1399049360-1260840147-846993834-2845527922 Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F85B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5363CC90-E4D3-4B26-AA19-7C32724F9BA9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1F856D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {595DFF73-BE57-3BB9-92B7-8A26F0F25FF8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h1-830646-22@CBCI-830646-22.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1F856D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F451F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F451F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F451F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:15 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFC35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F00CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F00CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F00CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA914 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E7E56 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E7E56 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E7E56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6E0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6F5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6F5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6F01 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6F01 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6F01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6EB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6EB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6EB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6E0F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1408383468-1285146319-4230060468-845740079 Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E6E0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53F239EC-C6CF-4C99-B499-21FC2FF86832 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:06 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E5F8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E5F8B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E5F8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E4FDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E511F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E511F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E50C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E50C6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E50C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E507D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E507D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E507D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E4FDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3735350321-1111559964-2460140729-4258340850 Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E4FDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DEA4EC31-0F1C-4241-B9C4-A292F21FD1FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E444E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E444E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E444E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:57:00 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D1365 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D134A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D1333 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0EE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0ECA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0EA3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D09F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0990 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D092C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFE0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFDCC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFCE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D138B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFCCC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFC97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0F37 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0B62 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFC75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D06D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0364 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D00C3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFCF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E11BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E11BA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E11BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x173230 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DD207 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DD207 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DD207 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8B10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8B10 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8B10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:37 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D53B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D53B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D53B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4286 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D43CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D43CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4376 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4376 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4376 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D432D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D432D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D432D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4286 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-41077537-1159118891-1447570876-516911416 Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4286 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0272CB21-C02B-4516-BC2D-48563871CF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:34 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1320 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1320 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1320 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D138B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D138B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D1365 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D1365 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D134A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D134A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D1333 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D1333 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D0F37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0F37 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D0EE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0EE8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D0ECA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0ECA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D0EA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0EA3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D0B62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0B62 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D09F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D09F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D0990 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0990 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D092C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D092C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D06D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D06D8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D0364 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D0364 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1D00C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1D00C3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFA6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFE0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFE0E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFDCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFDCC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFCB3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFCB3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFCF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFCF9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFCE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFCE1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFCCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFCCC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFC97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFC97 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFC75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52962 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFBF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFC75 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFBF9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFBF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CFC35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52961 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1CFC35 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFBAC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFBAC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFBAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFA6A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316067660-1293641949-1210466187-1960938975 Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CFA6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C634C-68DD-4D1B-8B3F-2648DF8DE174 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1C66FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CDC8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CDC8C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CDC8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9208 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9208 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9208 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8280 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C83C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C83C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C836E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C836E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C836E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8325 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8325 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8325 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8280 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2120508093-1136301960-1344368291-2542733651 Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E6462BD-9788-43BA-A36E-215053098F97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1C66FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52927 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:08 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1C66FC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:08 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4CC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4CC9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4CC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2113 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2113 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2113 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:56:01 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E505 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BB800 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BB800 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BB800 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA7C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA914 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA914 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA8BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA8BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA8BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA872 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA872 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA872 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA7C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3307232742-1334087665-2596301958-4195740166 Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA7C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5205DE6-8FF1-4F84-866C-C09A06EA15FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B25E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A5355 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC882 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC882 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC882 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A6742 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A6742 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A6742 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A506B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A5355 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A5355 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A5296 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A5296 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A5296 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A51A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A51A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A51A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A506B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184653167-1222545624-3827159434-3753424229 Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A506B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96CBD6F-90D8-48DE-8AD1-1DE465B5B8DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x189F39 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18133D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x181320 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1812FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18110C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1810EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1810C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180E3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180E20 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180DFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18027A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1801C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180150 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FCA0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FC2F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FBE7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18137F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180EA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180769 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1804E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1802C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FCE3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E3AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E315 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115C6C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1689E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B9D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194A26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194A26 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194A26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192F01 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192F01 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192F01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1917DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191A96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191A96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1919B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1919B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1919B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191916 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191916 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191916 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1917DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1732802776-1194204687-611716497-2322968333 Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1917DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 674878D8-1E0F-472E-910D-76240DAF758A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:11 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FF1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FF1B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FF1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:09 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B959 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B959 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B959 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 52850 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 52851 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 52849 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18A2A7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x189F39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-830646-22 Source Network Address: 10.222.0.59 Source Port: 52848 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x189F39 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:04 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18826D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18826D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18826D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:55:03 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x18137F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18137F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x18133D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18133D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x181320 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x181320 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1812FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1812FC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x18110C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18110C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1810EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1810EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1810C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1810C9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x180EA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180EA9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x180E3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180E3F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x180E20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180E20 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x180DFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180DFB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x180769 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180769 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1804E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1804E5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1802C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1802C6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x18027A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x18027A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1801C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x1801C9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x180150 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x180150 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x17FCE3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FCE3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x17FCA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FCA0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x17FC2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FC2F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x17FBE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x17FBE7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F835 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F835 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F835 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E266 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E505 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E505 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E444 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E444 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E444 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E399 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E399 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E399 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E266 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3542888705-1297846302-1709055648-3209839753 Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17E266 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D32C3101-901E-4D5B-A01E-DE65894452BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17CB21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17CB21 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17CB21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B88F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B9D6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B9D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B97D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B97D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B97D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B934 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B934 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B934 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B88F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-798768737-1250606277-3401433782-2175936861 Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17B88F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F9C3E61-BCC5-4A8A-B6C2-BDCA5D29B281 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17A14E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17A14E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17A14E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x16B286 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1743D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1743D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1743D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172FC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x173230 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x173230 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17317D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17317D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17317D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1730E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1730E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1730E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172FC3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3476876129-1237976933-3060546228-2294677273 Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172FC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF3CEB61-0765-49CA-B43A-6CB619FFC588 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F169 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F169 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F169 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:41 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x16B286 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52820 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x16B286 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:36 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169822 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169822 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169822 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16889F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1689E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1689E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16898D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16898D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16898D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:33 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168944 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168944 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168944 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16889F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3347702321-1275129069-3063595163-734463100 Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16889F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C789E231-ECED-4C00-9BC0-9AB67C04C72B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:32 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1647CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1647CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1647CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E22C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x13F522 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C670 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AAE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x13EB60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14D310 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14D310 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14D310 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14A8DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14A8DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14A8DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:21 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E43E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147F4B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147F4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x14370B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x14370B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B85719B1-50A8-BABA-B4C7-48A7FBC5B92F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x14370B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x143568 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x143568 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x143568 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14333D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14333D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14333D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:16 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x13F5FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x13F632 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x13F61D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13F632 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00C31D32-CE44-80EE-D2D6-0A09B1B5BAFE} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52779 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13F61D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00C31D32-CE44-80EE-D2D6-0A09B1B5BAFE} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52778 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13F5FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00C31D32-CE44-80EE-D2D6-0A09B1B5BAFE} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52777 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13F522 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00C31D32-CE44-80EE-D2D6-0A09B1B5BAFE} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52776 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13EB60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9A52271C-037F-502A-1FDE-F34092406395} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52776 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x13E52A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E52A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BB864D88-B638-FCF7-EC62-A2356167423D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E4BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E4BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E4BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E46B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-650866845-1114061388-1148192150-168056869 Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E46B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26CB709D-3A4C-4267-9605-70442558040A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E43E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B85719B1-50A8-BABA-B4C7-48A7FBC5B92F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E43E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E3AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E3AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E315 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52781 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E315 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E2DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2DE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E2C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2C9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E2B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2B2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E2A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52780 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E2A1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E280 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E270 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E260 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52778 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E280 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E270 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52779 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E270 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E260 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52777 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E260 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x13E22C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52776 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x13E22C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:14 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D477 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D477 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D477 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C529 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C670 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C670 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C617 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C617 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C617 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C5CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C5CE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C5CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C529 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214811322-1074660899-784495240-2911757804 Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13C529 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CCDC2BA-0623-400E-8872-C22EECE58DAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:13 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13B85D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13B85D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13B85D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A99E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AAE6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AAE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AA8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AA8C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AA8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AA43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AA43 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13AA43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A99E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-48267962-1159960567-3256211894-2243137324 Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A99E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02E082BA-97F7-4523-B6D9-15C22C8FB385 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A222 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:54:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131CBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131CBD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131CBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B418 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B403 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B4E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B3EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B44F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B3DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1129D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12B088 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12B088 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12B088 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A0D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A222 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A222 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A1C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A1C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A1C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A17C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A17C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A17C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A0D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-614734538-1104261951-4138537879-2232211166 Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A0D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24A41ACA-B33F-41D1-9713-ADF6DED60C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x11C6B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B1EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x11C337 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B5FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1211A0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1211A0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1211A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:26 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11EEBA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11EEBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B85719B1-50A8-BABA-B4C7-48A7FBC5B92F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11EEBA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11ECC5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11ECC5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11ECC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11EB11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11EB11 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11EB11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:25 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x11C716 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x11C72B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x11C729 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11C729 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0BAFDECA-780F-2AAE-A524-AD443682800E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52679 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11C72B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0BAFDECA-780F-2AAE-A524-AD443682800E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52680 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11C716 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0BAFDECA-780F-2AAE-A524-AD443682800E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52678 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11C6B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0BAFDECA-780F-2AAE-A524-AD443682800E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52677 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:24 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11C337 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9A52271C-037F-502A-1FDE-F34092406395} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52677 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x11B755 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-1106 Account Name: N-H1-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B755 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BB864D88-B638-FCF7-EC62-A2356167423D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11B6ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11B6ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481614649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11B6ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11B69A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4172445388-1180462091-1388852360-1014591754 Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11B69A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8B276CC-6C0B-465C-8834-C8520A71793C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B5FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B85719B1-50A8-BABA-B4C7-48A7FBC5B92F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B5FB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B4E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52687 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B4E6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B44F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52687 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B44F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B418 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52684 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B418 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52684 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B403 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B3EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52684 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B3EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B3DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C3D82AD-77BE-3C62-B5B8-0CF232B06C6D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52684 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B3DB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B25E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B85719B1-50A8-BABA-B4C7-48A7FBC5B92F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52682 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B25E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B212 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B228 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B238 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B238 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52680 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B238 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B228 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52679 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B228 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B212 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52678 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B212 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x11B1EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52677 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x11B1EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:23 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1185EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1185EB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1185EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116972 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116972 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116972 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115C6C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115C6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115C13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115C13 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115C13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115BCA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115BCA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115BCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B25 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2122259485-1210584226-2469384577-3662011411 Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E7F1C1D-0CA2-4828-81D1-2F9313DC45DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1136BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1136BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1136BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11288C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1129D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1129D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11297A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11297A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11297A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112931 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112931 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112931 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11288C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-322663258-1083096979-841466508-2658194975 Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11288C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 133B735A-BF93-408E-8CC2-27321FD6709E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x103723 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7523 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF59E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1D15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:53:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1064C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1064C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1064C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x103723 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52610 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0x103723 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1016FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1016FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1016FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:29 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFF06D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFF06D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFF06D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:27 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFA0BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFA0BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFA0BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8302 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8302 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8302 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF73DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7523 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7523 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF74CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF74CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF74CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7481 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7481 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7481 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:18 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF73DC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2109514855-1086452291-3389792184-717728922 Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF73DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7DBCA467-F243-40C1-B81F-0CCA9AACC72A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF66FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF66FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF66FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF589C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF59E7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF59E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF598E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF598E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF598E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF5945 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF5945 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF5945 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF589C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1319037666-1191773003-530766250-2725911097 Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF589C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E9EEAE2-034B-4709-AAD9-A21F391A7AA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:17 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3100 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3100 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3100 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF29F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF29F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF29F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1BCD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1D15 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1D15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1CBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1CBC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1CBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1C73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1C73 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1C73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1BCD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622123049-1183852594-3382017974-2305040624 Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1BCD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AFA229-2832-4690-B67F-95C9F0206489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3F22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:08 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE209E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0xE0C66 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:52:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE991F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE991F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE991F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:58 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8468 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8468 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8468 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2EF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2EF8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2EF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE1D08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE209E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE209E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2045 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2045 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2045 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE1FA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE1FA4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE1FA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE1D08 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-891896133-1216921071-4125399936-3976611282 Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE1D08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35294145-BDEF-4888-809B-E4F5D24506ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:51 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon ID: 0xE0C66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D0B31884-CC83-5AC1-AEA2-9978389BDDB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.59 Source Port: 52586 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: Administrator Account Domain: CBCI-830646-22 Logon ID: 0xE0C66 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD2286 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB6B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB6B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB6B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD904F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD904F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD904F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:35 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4C28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4C28 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4C28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3DDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3F22 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3F22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3EC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3EC9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3EC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3E80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3E80 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3E80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3DDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2294784429-1339304867-1387050680-3134643855 Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3DDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88C7A1AD-2BA3-4FD4-B8B6-AC528FDED6BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD30C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD30C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD30C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD213F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD2286 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD2286 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD222D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD222D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD222D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD21E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD21E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD21E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD213F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-550021360-1303485221-2677573531-1586359749 Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD213F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 20C8A8F0-9B25-4DB1-9B87-989FC5ED8D5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:28 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC15E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC72DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC72DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC72DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:51:05 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC248B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC248B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC248B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1485 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC15E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC15E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1584 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1584 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1584 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC153B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC153B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC153B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1485 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-787762669-1175715750-1139416746-2528860702 Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1485 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EF44DED-FFA6-4613-AA1E-EA431E5ABB96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:56 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:50:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x20C16 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x91c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:49:02 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:48:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:48:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:48:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: administrator Account Domain: CBCI-830646-22 Logon ID: 0x6A8DE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: administrator Account Domain: CBCI-830646-22 Logon ID: 0x6A8DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F87C0104-61B2-2B8D-2F52-0E742903CE11} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-830646-22 Logon GUID: {F87C0104-61B2-2B8D-2F52-0E742903CE11} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x578 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:40 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: administrator Account Domain: CBCI-830646-22 Logon ID: 0x52806 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-685390083-2367142952-234684365-500 Account Name: administrator Account Domain: CBCI-830646-22 Logon ID: 0x52806 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63839839-E5A2-E7C6-C1C4-7EE7A0B91ADC} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-830646-22 Logon GUID: {63839839-E5A2-E7C6-C1C4-7EE7A0B91ADC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:38 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x4D35F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4D35F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1F1732FE-ED2C-A12D-2613-5725FBBBE6AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x4D35F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon GUID: {59E944C4-DB62-1841-B05F-CCE7297FE7DF} Target Server: Target Server Name: n-h2-830646-22$ Additional Information: n-h2-830646-22$ Process Information: Process ID: 0xc98 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x4B7AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x4B7AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0716E605-8C41-B7D7-8085-700964D80AA1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x4B7AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:30 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3FF68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x3FF68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3CE19504-9F46-943C-D57F-7CE9424B439C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3FF68 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon GUID: {9937C679-284D-BB69-DC9E-BA9A19547EF3} Target Server: Target Server Name: n-h2-830646-22$ Additional Information: n-h2-830646-22$ Process Information: Process ID: 0xc18 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:20 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3DA33 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x3DA33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0716E605-8C41-B7D7-8085-700964D80AA1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3DA33 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:19 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x20C16 Account Modified: Account Name: S-1-5-21-685390083-2367142952-234684365-500 Access Granted: Access Right: SeServiceLogonRight471700135690-921436483760003481614360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:12 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2D848 Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:47:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:57 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x33C5D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x33C5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {398AB2C4-43CC-C203-8D9C-AAD3036057AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x33C5D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon GUID: {54CC82E7-7C3B-8EF1-694D-9475F3BE8C8F} Target Server: Target Server Name: n-h2-830646-22$ Additional Information: n-h2-830646-22$ Process Information: Process ID: 0xfd8 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:55 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3277E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x3277E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3F56467A-F243-464B-666C-77A68CBA6B6E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3277E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon GUID: {6BAF354A-3E3A-43F3-8E56-EFB2D82E3607} Target Server: Target Server Name: n-h2-830646-22$ Additional Information: n-h2-830646-22$ Process Information: Process ID: 0xc10 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:54 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2D848 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2D848 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa30 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:52 AM5de0f276-b9d8-0000-b7f2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22472400138240-921436483760003481614345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/27/2022 5:46:52 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Process Information: Process ID: 0xa30 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Process Information: Process ID: 0xa30 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:52 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x27F85 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x27F85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0716E605-8C41-B7D7-8085-700964D80AA1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x27F85 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:49 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:48 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Domain: Domain Name: N-H2-830646-22 Domain ID: S-1-5-21-3633094841-3717610605-3277516014 Changed Attributes: Min. Password Age: ??? Max. Password Age: ??? Force Logoff: - Lockout Threshold: - Lockout Observation Window: - Lockout Duration: - Password Properties: 1 Min. Password Length: 7 Password History Length: 24 Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -473900135690-921436483760003481614332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x578 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:47 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x20C16 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x20C16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4a8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4a8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:46 AM5de0f276-b9d8-0004-90f2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 98aa1e51-e5ba-4e1a-9f69-b103d6d519bb Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 98aa1e51-e5ba-4e1a-9f69-b103d6d519bb Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1954eb1a3454511836281a6d07ec4652_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:46 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x1CB0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1CB0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0716E605-8C41-B7D7-8085-700964D80AA1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x1CB0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x1B69B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22.LOCAL Logon ID: 0x1B69B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0716E605-8C41-B7D7-8085-700964D80AA1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x1B69B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x578 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:45 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x167B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4a8 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4a8 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x1545E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0002-8df2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202180n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202180n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x578 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x578 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5e4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820492n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x3fc Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?27T05:46:43.843898400Z New Time: ?2022?-?08?-?27T05:46:43.384000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4360n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBC48 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481614269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBC35 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBC48 Linked Logon ID: 0xBC35 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBC35 Linked Logon ID: 0xBC48 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:43 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: CBCI-830646-22 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:42 AM5de0f276-b9d8-0005-7bf2-e05dd8b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x654D490200135680-921436483760003481614260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820868n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481614258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4360n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x23c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4360n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4360n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4360n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x23c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481614246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-22.cbci-830646-22.local8/27/2022 5:46:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x59c Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?27T05:46:25.896400500Z New Time: ?2022?-?08?-?27T05:46:25.885000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-228/27/2022 5:46:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x605AF8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8162180n-h2-830646-228/27/2022 5:46:25 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x605AF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8162180n-h2-830646-228/27/2022 5:46:25 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8162180n-h2-830646-228/27/2022 5:46:25 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8162180n-h2-830646-228/27/2022 5:46:25 AMd04d1aa4-b9d0-0002-4a2b-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889614240Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security14283668n-h2-830646-228/27/2022 5:46:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Member: Security ID: S-1-5-21-685390083-2367142952-234684365-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Member: Security ID: S-1-5-21-685390083-2367142952-234684365-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 5:46:21 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: LDAP/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.82 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:20 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {EE776B8B-18AF-5DE1-8D10-406F5AB4C0F1} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: ldap/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:20 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-830646-22.LOCAL Logon GUID: {EE776B8B-18AF-5DE1-8D10-406F5AB4C0F1} Target Server: Target Server Name: n-ad-830646-22.cbci-830646-22.local Additional Information: cifs/n-ad-830646-22.cbci-830646-22.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.82 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:20 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfa8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:46:05 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:13:11 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 5:13:11 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:59:40 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:59:40 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Process Information: Process ID: 0x1040 Process Name: C:\Program Files\Git\usr\bin\bash.exe479800138240-921436483760003481614222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816736n-h2-830646-228/27/2022 4:59:29 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:44 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x11EBE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:44 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:44 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:44 AMd04d1aa4-b9d0-0002-e81c-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x116F58 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x116F58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0004-4b1d-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x115DEC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x115DEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:38 AMd04d1aa4-b9d0-0004-491d-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x113C51 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:36 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x113C51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:36 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:36 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:56:36 AMd04d1aa4-b9d0-0003-501d-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:56:16 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:56:16 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8FC54 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-500 Account Name: Administrator Account Domain: N-H2-830646-22472400138240-921436483760003481614203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:55:57 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8FC54 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-500 Account Name: Administrator Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/27/2022 4:55:57 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:55:57 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8FC54 User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-500 Account Name: Administrator Account Domain: N-H2-830646-22 Process Information: Process ID: 0x640 Process Name: C:\Windows\System32\net1.exe479800138240-921436483760003481614201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:55:57 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8FC54 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8d0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:55:43 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0506100122900-921436483760003481614194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Write persisted key to file. Return Code: 0x0505800122920-921436483760003481614193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016506100122900-921886843722740531214192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0505800122920-921436483760003481614191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:54:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8FC54 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:53:55 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8FC54 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:53:55 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:53:55 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:53:55 AMd04d1aa4-b9d0-0005-b61c-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:53:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8E5B6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8E5B6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:43 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x8E5B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:43 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:43 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:43 AMd04d1aa4-b9d0-0004-6a1b-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 98aa1e51-e5ba-4e1a-9f69-b103d6d519bb Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:53:43 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 98aa1e51-e5ba-4e1a-9f69-b103d6d519bb Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1954eb1a3454511836281a6d07ec4652_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:53:43 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22472400138240-921436483760003481614173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:41 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/27/2022 4:53:41 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:41 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Process Information: Process ID: 0xf0c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:41 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Process Information: Process ID: 0xf0c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:41 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Process Information: Process ID: 0xf0c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:41 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:36 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:36 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Process Information: Process ID: 0xf0c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:35 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Member: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:34 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x7730D Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:34 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Logon ID: 0x7730D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xf0c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:33 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xf0c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:33 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:33 AMd04d1aa4-b9d0-0002-f61a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22472400138240-921436483760003481614159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:28 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/27/2022 4:53:28 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:28 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22472200138240-921436483760003481614157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:28 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B New Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: Admin Account Domain: N-H2-830646-22 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -472000138240-921436483760003481614156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:28 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Member: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1001 Account Name: - Group: Security ID: S-1-5-21-3633094841-3717610605-3277516014-513 Group Name: None Group Domain: N-H2-830646-22 Additional Information: Privileges: -472800138260-921436483760003481614155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:28 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:13 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:13 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:04 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x4EE7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xebc Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:04 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:04 AMd04d1aa4-b9d0-0003-081b-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22472400138240-921436483760003481614149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:04 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/27/2022 4:53:04 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:04 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Process Information: Process ID: 0xebc Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:04 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Process Information: Process ID: 0xebc Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:04 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H2-830646-22 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x24c Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462500125440-921886843722740531214145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:03 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-500 Account Name: Administrator Account Domain: N-H2-830646-22 Process Information: Process ID: 0xfb0 Process Name: C:\Windows\System32\LogonUI.exe479800138240-921436483760003481614144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:03 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:53:02 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:53:02 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:00 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:00 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:00 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:53:00 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:58 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_3c6c94b9-4ecf-4405-b7e6-967cd262051b Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon ID: 0x2B2F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-830646-22 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H2-830646-22 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-830646-22 Error Code: 0x0477600143360-921436483760003481614129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:56 AMd04d1aa4-b9d0-0003-ee1a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:54 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2169D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:53 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4384n-h2-830646-228/27/2022 4:52:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4d4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:52 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x594 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?27T04:52:52.167114200Z New Time: ?2022?-?08?-?27T04:52:51.787000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4384n-h2-830646-228/27/2022 4:52:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:51 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:51 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x504 Process Information: Process ID: 0x510 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481614086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508n-h2-830646-228/27/2022 4:52:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:51 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816856n-h2-830646-228/27/2022 4:52:51 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:51 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:51 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-3633094841-3717610605-3277516014-513 Group Name: None Group Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -473700138260-921436483760003481614081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-513 Account Domain: N-H2-830646-22 Old Account Name: None New Account Name: None Additional Information: Privileges: -478100138240-921436483760003481614080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-3633094841-3717610605-3277516014-513 Group Name: None Group Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473700138260-921436483760003481614079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-503 Account Name: DefaultAccount Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-503 Account Name: DefaultAccount Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-501 Account Name: Guest Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-501 Account Name: Guest Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-500 Account Name: Administrator Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-500 Account Name: Administrator Account Domain: N-H2-830646-22 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -473500138260-921436483760003481614072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -478100138240-921436483760003481614071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -478100138240-921436483760003481614068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -478100138240-921436483760003481614065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -478100138240-921436483760003481614062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -478100138240-921436483760003481614059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -478100138240-921436483760003481614056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -478100138240-921436483760003481614053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -478100138240-921436483760003481614050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -473500138260-921436483760003481614048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -478100138240-921436483760003481614047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -478100138240-921436483760003481614044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -478100138240-921436483760003481614041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -473500138260-921436483760003481614039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -478100138240-921436483760003481614038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -478100138240-921436483760003481614035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -478100138240-921436483760003481614032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -478100138240-921436483760003481614029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -478100138240-921436483760003481614026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -478100138240-921436483760003481614023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -478100138240-921436483760003481614020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -473500138260-921436483760003481614018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -478100138240-921436483760003481614017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -478100138240-921436483760003481614014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -473500138260-921436483760003481614012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -478100138240-921436483760003481614011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -478100138240-921436483760003481614008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -478100138240-921436483760003481614005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -478100138240-921436483760003481614002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h2-830646-228/27/2022 4:52:50 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB580 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB56E Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB580 Linked Logon ID: 0xB56E Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB56E Linked Logon ID: 0xB580 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:38 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:37 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h2-830646-228/27/2022 4:52:37 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:52:37 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-830646-22$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h2-830646-228/27/2022 4:52:37 AMd04d1aa4-b9d0-0005-a91a-4dd0d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x61AB490200135680-921436483760003481613983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816872n-h2-830646-228/27/2022 4:52:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816820n-h2-830646-228/27/2022 4:52:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816820n-h2-830646-228/27/2022 4:52:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h2-830646-228/27/2022 4:52:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h2-830646-228/27/2022 4:52:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h2-830646-228/27/2022 4:52:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h2-830646-228/27/2022 4:52:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h2-830646-228/27/2022 4:52:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h2-830646-228/27/2022 4:52:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4228n-h2-830646-228/27/2022 4:52:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4228n-h2-830646-228/27/2022 4:52:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-228/27/2022 4:52:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-228/27/2022 4:52:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-228/27/2022 4:52:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h2-830646-228/27/2022 4:52:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5ec Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?27T04:52:22.137642200Z New Time: ?2022?-?08?-?27T04:52:22.131000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H8/27/2022 4:52:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613967Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security13161692WIN-5T344G8GM1H8/27/2022 4:52:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:52:17 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:52:17 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:52:03 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/27/2022 4:52:03 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:52:03 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xb2c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:52:03 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3633094841-3717610605-3277516014-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xb2c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:52:03 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x3ec Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481613960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H8/27/2022 4:51:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:24 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:24 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481613957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864WIN-5T344G8GM1H8/27/2022 4:51:24 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x631B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:23 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481613945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H8/27/2022 4:51:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864WIN-5T344G8GM1H8/27/2022 4:51:22 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864WIN-5T344G8GM1H8/27/2022 4:51:22 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:22 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:22 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x524 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?27T04:51:21.776285400Z New Time: ?2022?-?08?-?27T04:51:22.054000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H8/27/2022 4:51:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:21 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892WIN-5T344G8GM1H8/27/2022 4:51:21 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:21 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:21 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57540 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5751D Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57540 Linked Logon ID: 0x5751D Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5751D Linked Logon ID: 0x57540 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:13 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:12 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:12 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:11 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896WIN-5T344G8GM1H8/27/2022 4:51:11 AM93a746fb-b9d0-0005-0147-a793d0b9d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5010C490200135680-921436483760003481613918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820868WIN-5T344G8GM1H8/27/2022 4:51:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824WIN-5T344G8GM1H8/27/2022 4:51:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824WIN-5T344G8GM1H8/27/2022 4:51:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H8/27/2022 4:51:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H8/27/2022 4:51:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H8/27/2022 4:51:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H8/27/2022 4:51:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H8/27/2022 4:51:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H8/27/2022 4:51:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x25c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4228WIN-5T344G8GM1H8/27/2022 4:51:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4228WIN-5T344G8GM1H8/27/2022 4:51:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188WIN-5T344G8GM1H8/27/2022 4:50:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4228WIN-5T344G8GM1H8/27/2022 4:50:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H8/27/2022 4:50:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H8/27/2022 4:50:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H8/27/2022 4:50:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity41980WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613901Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361144WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.464700125450-921436483760003481613900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:48:12 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -473900135690-921436483760003481613895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -473900135690-921436483760003481613891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe479800138240-921436483760003481613890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E31102041040462069321768212889613887Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361136WIN-5T344G8GM1H1/19/2018 9:47:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLog clearSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]